Bank of N T Butterfield & Son : 30 June 2022.

Capital and Risk Management Pillar 3 Disclosures for the period ended June 30, 2022

Contents	Page
1.	Overview	3
1.1.	Background
1.2.	Basis of disclosures
1.3.	Scope of applications
1.4.	Location and verification
2.	Risk Management Objectives and Policies	5

1. Risk governance
2. Risk management

3.	Prudential Metrics	7
4.	Capital Adequacy	9

1. Capital management
2. Regulatory capital framework
3. Capital structure
4. Linkages between financial statements and regulatory exposures
5. Minimum capital requirement: Pillar 1
6. Leverage ratio

5. Credit Risk Measurement, Mitigation and Reporting

15

1. Credit risk overview
2. Credit risk - retail and private banking
3. Credit risk - commercial banking
4. Credit risk - treasury
5. Exposures
6. Impairment provisions
7. Credit risk concentrations
8. Credit risk mitigation
9. Securitization

6. Market and Liquidity Risk

27

1. Market risk overview
2. Interest rate risk
3. Foreign exchange risk
4. Liquidity risk

7.	Operational Risk	32
8.	Other Information	33

1. Abbreviations
2. Cautionary statements regarding forward-looking statements

Page 2

Capital and Risk Management Pillar 3 Disclosures for the period ended June 30, 2022

1. Overview

1.1 Background

Effective January 1, 2015, the BMA implemented the capital reforms proposed by the BCBS and referred to as the Basel III regulatory framework. Basel III aims to raise the quality, consistency and transparency of the capital base, limit the build-up of excess leverage and increase capital requirements for the banking sector. Basel III adopts CET1 capital as the predominant form of regulatory capital with the CET1 ratio as a new metric. Basel III also adopts the new Leverage Ratio, Liquidity Coverage Ratio ("LCR") and Net Stable Funding Ratio ("NSFR") regimes. We are now subject to the following requirements:

• CET1 ratio of at least 7.0% of RWA, inclusive of a minimum CET1 ratio of 4.5% and the new capital conservation buffer of 2.5%, but excluding the D-SIB surcharge described below;
• Tier 1 capital of at least 8.5% of RWA, inclusive of a minimum Tier 1 ratio of 6% and the new capital conservation buffer of 2.5% but excluding the D-SIB surcharge described below;
• Total capital of at least 10.5% of RWA, inclusive of a minimum total capital ratio of 8% and the new capital conservation buffer of 2.5% but excluding the D-SIB surcharge described below;
• The Group is considered to be a D-SIB and is subject to a 3% surcharge composed of CET1-eligible capital implemented by the BMA effective September 30, 2015. This is based upon the BMA's assessment of the extent to which the Group (individually and collectively with the other Bermuda banks) poses a degree of material systemic risk to the economy of Bermuda due to its role in deposit taking, lending, payment systems and other core economic functions;
• Counter-cyclicalbuffer of up to 2.5% composed of CET1-eligible capital may be implemented by the BMA when macroeconomic indicators provide an assessment of excessive credit or other pressures building in the banking sector, potentially increasing the CET1, Tier 1 and total capital ratios by up to 2.5%. No Counter-cyclical buffer has been implemented to date;
• Leverage ratio of 5.0% or higher;
• LCR with a minimum requirement of 100%; and
• NSFR with a minimum requirement of 100%.

The minimum capital ratio requirements set forth above do not reflect additional Pillar 2 add-on requirements that the BMA may impose upon the Group as a prudential measure from time to time. As the Group's capital requirements remain under continuous review by the BMA pursuant to its prudential supervision, the Group cannot guarantee that the BMA will not seek higher total capital ratio requirements from time to time.

In December 2017, the BCBS published standards that it described as the finalization of the Basel III post-crisis regulatory reforms (the standards are commonly referred to as "Basel IV"). Among other things, these standards revise the BCBS's standardized approach for credit risk (including recalibrating risk weights and introducing new segmentations for exposures) and provides a new standardized approach for operational risk capital. Under the BCBS framework, these standards will generally be effective on January 1, 20231, with an aggregate output floor phasing in through January 1, 20281. The impact of these standards on us will depend on the manner in which they are adopted by the BMA.

The requirements of the Basel III regulatory capital framework include the disclosure requirements applicable to banks and deposit-taking companies which are known as Pillar 3. These are designed to promote market discipline by providing market participants with key information on a firm's risk exposure and risk management processes. Pillar 3 also aims to complement the minimum capital requirements described under Pillar 1, as well as the supervisory processes of Pillar 2.

1.2 Basis of Disclosures

This disclosure document has been prepared by the Group on a standardized basis and in accordance with the rules laid out in the BCBS standards issued in January 2015 entitled 'Revised Pillar 3 Disclosure Requirements' and in March 2017 entitled "Pillar 3 disclosure requirements - consolidated and enhanced framework" and as adopted by the BMA. Unless otherwise stated, all figures are as at June 30, 2022 and are expressed in US dollars. Certain tables in this report may not sum due to rounding.

• In March 2020, in response to the pandemic, the BCBS deferred the implementation timeline from January 1, 2022 to January 1, 2023 and the output floor phasing in from January 1, 2027 to January 1, 2028.

Page 3

Capital and Risk Management Pillar 3 Disclosures for the period ended June 30, 2022

1.3 Scope of Application

The Bank is the parent company of The Bank of N.T. Butterfield & Son Limited group of companies and is regulated by the BMA. The Basel III Framework, therefore, applies to the Bank and its subsidiary undertakings (together referred to as both the "Bank" and the "Group").

There is a requirement to calculate and maintain regulatory capital ratios on both a consolidated and a solo basis in respect of the Group's businesses in Bermuda, the Cayman Islands, Guernsey and Jersey. Differences may exist between jurisdictions in the calculation of regulatory capital requirements. However, there are no differences between the basis of consolidation of the Group for accounting and prudential purposes. Full details of the basis of consolidation can be found in Note 2 of the Group's audited consolidated financial statements for the year ended December 31, 2021.

The Group is made up of the following principal operating entities, which are all wholly owned subsidiaries and fully consolidated in the Group's financial statements:

The Bank of N.T. Butterfield & Son Limited, Bermuda

Butterfield Asset Management Limited, Bermuda

Butterfield Securities (Bermuda) Limited

Butterfield Trust (Bermuda) Limited

Bermuda Trust Company Limited

Butterfield Bank (Cayman) Limited

Butterfield Trust (Cayman) Limited

Butterfield Bank (Guernsey) Limited

Butterfield Trust (Guernsey) Limited

Butterfield Bank (Jersey) Limited

Butterfield Mortgages Limited, UK

Butterfield Trust (Bahamas) Limited

Butterfield Holdings (Switzerland) Limited

Butterfield Trust (Switzerland) Limited

Butterfield Trust (Asia) Limited

All the Group's subsidiaries are included in the Pillar 3 disclosures. Each overseas operating company is regulated by its own local regulator and is subject to its own regulatory capital requirements. Further details of the principal subsidiary undertakings can be found in the Annual Report of the Group for the year ended December 31, 2021.

1.4 Location and Verification

Pursuant to BCBS guidance issued in January 20152, these disclosures have been published following Board approval.

The disclosures are not subject to external audit except where they are equivalent to those prepared under the accounting requirements for the inclusion in the Group's Audited Financial Statements.

These disclosures have been published on the Group's corporate website (https://www.butterfieldgroup.com/investor-relations/pillar-3-disclosure).

• https://www.bis.org/bcbs/publ/d309.pdf

Page 4

Capital and Risk Management Pillar 3 Disclosures for the period ended June 30, 2022

2. Risk Management Objectives and Policies

2.1 Risk Governance

The principal types of risk inherent in our business are market, liquidity, credit and operational risks.

The Board has overall responsibility for determining the strategy for risk management, setting the Group's risk appetite and ensuring that risk is monitored and controlled effectively. It accomplishes its mandate through the activities of two dedicated committees:

The Risk Policy and Compliance Committee ("RPCC"): This committee of the Board assists the Board in fulfilling its responsibilities by overseeing the Group's risk profile and its performance against approved risk appetites and tolerance thresholds. Specifically, the committee considers the sufficiency of the Group's policies, procedures and limits related to the identification, measurement, monitoring and control of activities that give rise to credit, market, liquidity, interest rate, operational, regulatory, compliance, climate and reputational risks, as well as overseeing its compliance with laws, regulations and codes of conduct.

The Audit Committee: This committee reviews the overall adequacy and effectiveness of the Group's system of internal controls and the control environment, including in respect of the risk management process. It reviews recommendations arising from internal and independent audit review activities and management's response to any findings raised.

Both the RPCC and Audit Committee are supported in the execution of their respective mandates by the dedicated Audit, Compliance and Risk Policy Committees for our UK, Guernsey, Jersey, Cayman Islands and The Bahamas operations, which oversee the sufficiency of local risk management policies and procedures and the effectiveness of the system of internal controls that are in place. These committees are chaired by non-executive directors drawn from the boards of directors for each segment.

The Group executive management team is led by the Chairman and CEO and includes the members of executive management reporting directly to the Chairman and CEO. The executive management team is responsible for setting business strategy and for monitoring, evaluating and managing risks across the Group. It is supported by the following management committees:

The Group Risk and Compliance Committee ("GRCC"): This committee comprises executive and senior management team members and is chaired by the Group Chief Risk Officer. It provides a forum for the strategic assessment of risks assumed across the Group as a whole based on an integrated view of credit, market, liquidity, legal, regulatory and financial crime compliance, fiduciary, operational, cybersecurity, climate, insurance, pension, investment, capital and reputational risks, ensuring that these exposures are consistent with the risk appetites and tolerance thresholds promulgated by the Board and oversees the compliance of regulatory obligations arising under applicable laws, rules and regulations. It is responsible (i) for reviewing, evaluating and recommending the Group's Risk Appetite Framework, the results of the Capital Assessment and Risk Profile and recovery and resolution planning processes (including all associated stress testing performed) and the Group's key risk policies to the Board for approval; (ii) for reviewing and evaluating current and proposed business strategies in the context of our risk appetites; and (iii) for identifying, reviewing and advising on current and emerging risk issues and associated mitigation plans; and (iv) for reviewing the Group's compliance with external regulations and internal policies.

The Group Asset and Liability Committee ("GALCO"): This committee comprises executive and senior management team members and is chaired by the Group CFO. The committee is responsible for liquidity, interest rate and foreign exchange rate risk management and other balance sheet issues. It also oversees key policies and the execution of the Group's investment and capital management strategies and monitors the associated risks assumed. It is supported in the execution of its mandate by the work undertaken by the dedicated Asset & Liability Committees in each of the Bank's segments.

The Group Credit Committee ("GCC"): This committee comprises executive and senior management and is chaired by the Group Chief Risk Officer. The committee is responsible for a broad range of activities relating to the monitoring, evaluation and management of credit risks assumed across the Group at both transaction and portfolio levels. It is supported in the execution of its mandate by the Financial Institutions Committee ("FIC"), a dedicated sub-committee that is responsible for the evaluation and approval of recommended inter-bank and counterparty exposures assumed in the Group's treasury and investment portfolios, and by the activities of the jurisdictional Credit Committees, which review and approve transactions within delegated authorities and recommends specific transactions outside of these limits to the GCC for approval.

The Provisions and Impairments Committee: This committee comprises executive and senior management team members and is chaired by the Group Chief Risk Officer. The committee is responsible for approving significant provisions and other impairment charges. It also oversees the overall credit risk profile of the Group in regards to non-accrual loans and assets. It is supported in the execution of its mandate by jurisdictional credit committees and the GCC, which make recommendations to this committee.

Page 5